Apache HTTPD: HTTP/2 CONTINUATION denial of service (CVE-2016-8740)
Severity | CVSS | Published | Added | Modified |
---|---|---|---|---|
5 | (AV:N/AC:L/Au:N/C:N/I:N/A:P) | December 05, 2016 | December 05, 2016 | January 08, 2018 |
Description
The HTTP/2 protocol implementation (mod_http2) had an incomplete handling of the LimitRequestFields directive. This allowed an attacker to inject unlimited request headers into the server, leading to eventual memory exhaustion.
Free Nexpose Download
Discover, prioritize, and remediate security risks today!
References
Solution
apache-httpd-upgrade-2_4_25Related Vulnerabilities
- SUSE: CVE-2016-8740: SUSE Linux Security Advisory
- HP-UX: CVE-2016-8740: HPE HP-UX Web Server Suite running Apache, Multiple Vulnerabilities
- Gentoo Linux: CVE-2016-8740: Apache: Multiple vulnerabilities
- Vulnerabilities deemed not relevant on Red Hat Enterprise Linux 5
- Vulnerabilities deemed not relevant on Red Hat Enterprise Linux 7
- Alpine Linux: CVE-2016-8740: apache2 Multiple vulnerabilities
- OS X update for apache (CVE-2016-8740)
- FreeBSD: (Multiple Advisories) (CVE-2016-8740): Apache httpd -- several vulnerabilities
- Oracle Solaris 11: CVE-2016-8740: Vulnerability in Apache HTTP server
- Vulnerabilities deemed not relevant on Red Hat Enterprise Linux 6